Overview

overview

10

Static

static

Quotation.exe

windows7_x64

10

Quotation.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    48s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 23:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation.exe

  • Size

    761KB

  • MD5

    82a8dd7c9cb60f7f27a3187735fe0e70

  • SHA1

    64db00701378728d6bfa898795922017b3c39bcb

  • SHA256

    f9eb2b428ced4131d2846e50d56e87302b6b7ff986c6c524c55d5cef53111d2e

  • SHA512

    cd8939f5a729bd430644a074a4bc0792277843feb72e7cb47f8f7a46b0497381cb5354486b7dc4d9cceb0dbd0e6a78a08e7a768a8ebeb3c564fe11c74e05ed90

Score
10/10
massloggerspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jKyhYdgyjTlQP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFE1E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2000
    • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
      2⤵
        PID:1688
      • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1888
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 372
          3⤵
            PID:276

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpFE1E.tmp
        Filesize

        1KB

        MD5

        26f990560bfb3024dc98cf3749632fd5

        SHA1

        fe1b53c74834dca04ea7ffba03cbf02d84aa7001

        SHA256

        342028a111af0b09929681a3d72d9cd1d1fb183b2070a0987e1eccdd57bb1283

        SHA512

        5b9bc34d995e402efefb2752723605870f8adb12e860abf8e99b9ded8fcd3cc7ebbfcb5f6029ff32012ac915e275b357ea469b10fff46c0993fb9685dc8c9e1e

        Download Submit
      • memory/276-70-0x0000000000000000-mapping.dmp
        Download
      • memory/1528-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1528-55-0x0000000074500000-0x0000000074AAB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1888-62-0x0000000000400000-0x00000000004B0000-memory.dmp
        Filesize

        704KB

        Download
      • memory/1888-59-0x0000000000400000-0x00000000004B0000-memory.dmp
        Filesize

        704KB

        Download
      • memory/1888-58-0x0000000000400000-0x00000000004B0000-memory.dmp
        Filesize

        704KB

        Download
      • memory/1888-61-0x0000000000400000-0x00000000004B0000-memory.dmp
        Filesize

        704KB

        Download
      • memory/1888-63-0x0000000000400000-0x00000000004B0000-memory.dmp
        Filesize

        704KB

        Download
      • memory/1888-64-0x00000000004ABB2E-mapping.dmp
        Download
      • memory/1888-66-0x0000000000400000-0x00000000004B0000-memory.dmp
        Filesize

        704KB

        Download
      • memory/1888-68-0x0000000000400000-0x00000000004B0000-memory.dmp
        Filesize

        704KB

        Download
      • memory/1888-72-0x0000000074490000-0x0000000074A3B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2000-56-0x0000000000000000-mapping.dmp
        Download